News

Journalists have been asking me whether the revulsion against the abuse of Facebook data could be a turning point for the campaign to recover privacy. That could happen, if the public makes its campaign broader and deeper.

Broader, meaning extending to all surveillance systems, not just Facebook. Deeper, meaning to advance from regulating the use of data to regulating the accumulation of data. Because surveillance is so pervasive, restoring privacy is necessarily a big change, and requires powerful measures.

The surveillance imposed on us today far exceeds that of the Soviet Union. For freedom and democracy’s sake, we need to eliminate most of it. There are so many ways to use data to hurt people that the only safe database is the one that was never collected. Thus, instead of the EU’s approach of mainly regulating how personal data may be used (in its General Data Protection Regulation or GDPR), I propose a law to stop systems from collecting personal data.

The robust way to do that, the way that can’t be set aside at the whim of a government, is to require systems to be built so as not to collect data about a person. The basic principle is that a system must be designed not to collect certain data, if its basic function can be carried out without that data.

Data about who travels where is particularly sensitive, because it is an ideal basis for repressing any chosen target. We can take the London trains and buses as a case for study.

The Transport for London digital payment card system centrally records the trips any given Oyster or bank card has paid for. When a passenger feeds the card digitally, the system associates the card with the passenger’s identity. This adds up to complete surveillance.

I expect the transport system can justify this practice under the GDPR’s rules. My proposal, by contrast, would require the system to stop tracking who goes where. The card’s basic function is to pay for transport. That can be done without centralising that data, so the transport system would have to stop doing so. When it accepts digital payments, it should do so through an anonymous payment system.

Frills on the system, such as the feature of letting a passenger review the list of past journeys, are not part of the basic function, so they can’t justify incorporating any additional surveillance.

These additional services could be offered separately to users who request them. Even better, users could use their own personal systems to privately track their own journeys.

Black cabs demonstrate that a system for hiring cars with drivers does not need to identify passengers. Therefore such systems should not be allowed to identify passengers; they should be required to accept privacy-respecting cash from passengers without ever trying to identify them.

However, convenient digital payment systems can also protect passengers’ anonymity and privacy. We have already developed one: GNU Taler. It is designed to be anonymous for the payer, but payees are always identified. We designed it that way so as not to facilitate tax dodging. All digital payment systems should be required to defend anonymity using this or a similar method.

Whatabout security? Such systems in areas where the public are admitted must be designed so they cannot track people. Video cameras should make a local recording that can be checked for the next few weeks if a crime occurs, but should not allow remote viewing without physical collection of the recording. Biometric systems should be designed so they only recognise people on a court-ordered list of suspects, to respect the privacy of the rest of us. An unjust state is more dangerous than terrorism, and too much security encourages an unjust state.

The EU’s GDPR regulations are well-meaning, but do not go very far. It will not deliver much privacy, because its rules are too lax. They permit collecting any data if it is somehow useful to the system, and it is easy to come up with a way to make any particular data useful for something.

The GDPR makes much of requiring users (in some cases) to give consent for the collection of their data, but that doesn’t do much good. System designers have become expert at manufacturing consent (to repurpose Noam Chomsky’s phrase). Most users consent to a site’s terms without reading them; a company that required users to trade their first-born child got consent from plenty of users. Then again, when a system is crucial for modern life, like buses and trains, users ignore the terms because refusal of consent is too painful to consider.

To restore privacy, we must stop surveillance before it even asks for consent.

Finally, don’t forget the software in your own computer. If it is the non-free software of Apple, Google or Microsoft, it spies on you regularly. That’s because it is controlled by a company that won’t hesitate to spy on you. Companies tend to lose their scruples when that is profitable. By contrast, free (libre) software is controlled by its users. That user community keeps the software honest.

Benjamin White, Head of Intellectual Property, British Library, writes about steps libraries should take now to prepare for new legislation:

The General Data Protection Regulation (GDPR) comes into force across the European Union on May 25th 2018. Despite this the UK’s Data Protection Bill is still being debated in the Houses of Parliament. This creates a challenging situation for organisations because the details of UK implementation of the new data protection legislation remain unconfirmed. Given this, organisations such as libraries should ideally plan to implement the GDPR itself, and once the Bill comes into law revisit your activities in its light.

After the Snowden revelations, and the realisation in the public psyche that privacy is a limited commodity in an online world, we can see a huge rise in awareness of privacy issues. Organisations not only need to demonstrate how they use people’s personal information 1 responsibly, but they need to protect themselves from the financial and reputational harms of being found to be non-compliant with data protection law. For example, higher penalties of up to €20 million or 4% of global turnover, are possible for more serious infringements of core principles of the Regulation.

One of the common misconceptions around data protection law is that personal data only relates to sensitive information. This isn’t the case, it also regulates “simple” forms of personal data such as names, email addresses, telephone numbers etc.

The aim of this article is to suggest some of the activities a library should undertake to ensure compliance with the GDPR.

A Possible Checklist

All educational establishments in the UK are likely to have a Data Protection Officer. If you are subject to Freedom of Information requests you will need a Data Protection Officer independent of senior decision makers 2 . If they have not already been in touch with the library, you should proactively contact them to find out whether they have incorporated the work of the library into their activities. The types of personal data a library might manage can range from library membership information and the research datasets it holds, through to personal data on institutional repositories, marketing information, as well as personal data in analogue and digitised collections. Unique archival collections are another important area that can hold much sensitive personal data and that any university data protection officer should be made aware of.

Data protection law places many obligations on organisations that hold personal data (called data controllers in the law) but some of the main activities that should be undertaken to prepare for the GDPR coming into force include:

1. Data Security

Arguably, in terms of data protection law, one of the most important things for any library to focus on is the security of personal data. Recent findings in Kroll’s 10th annual Global Fraud and Risk report stated that 86% of those surveyed reported a cyber incident, with 70% reporting some type of security incident – up by 2% on the previous year. The types of personal data a library may keep are also changing. Alongside traditional areas, with many funders requiring or encouraging that research datasets are archived, the security of this type of information should be an important consideration for library managers.

A recent article on the BBC News website 3 highlighted how some Amazon Web Services users (including companies, universities and governments) were finding in their data lockers messages from independent security researchers warning them that their lockers were insecure and could be targeted by hackers. Misconfigured settings, forgotten data stores, and not keeping patches up to date are common issues that create vulnerabilities for data controllers. In short, staying on top of your data security should be at the top of your GDPR To Do List.

2. Information Auditing

In order to comply with the GDPR it is highly advisable to understand more about the personal data you currently hold and how you use it. Many organisations are therefore undertaking what is called an information audit. This can include:

Checking IT and any other data sharing contracts to ensure they reflect the GDPR. (The European Commission is expected to issue model contract clauses which will help with this, but currently none have been forthcoming.)

Map where data comes from, where it is held, who has access to it and who you share it with.

Record the type of personal information you hold, and establish your legal basis for using these different personal data types. (N.B. As part of a university, while performing a “public task” a university library cannot rely on the “legitimate interests” legal basis for holding and using personal data – this may mean that you now have to establish new legal grounds for processing information in certain situations. If an activity is outside your public task “legitimate interests” may be possible to rely on.Universities, like cultural heritage institutions, are in this respect known as “hybrid bodies”.)

Make decisions around how long you should keep different types of personal data. You should not hold more personal data than you strictly need, and it should also not be kept for longer than is strictly necessary. There is a general obligation to ensure the data is up to date, so having processes to ensure the data is accurate need to be established.

Check how robust your policies and processes are around data security, destruction of personal information you no longer need, and maintaining the currency of personal data.

3. Privacy Statements

Having undertaken an information audit, all organisations should review their public facing privacy statements, as the Regulation brings about quite a step-change in the requirements of your privacy notices. These need to be intelligible and as easily understandable as possible by anyone of teenage years and up. They should outline your specific legal grounds for using personal data in regards to named activities, why you are using personal information, where the data comes from and with whom it is shared, as well as your contact details and the types of personal data you hold.

To kill two birds with the same stone, and therefore discharge a number of your legal obligations (such as those that relate to subject access requests) in one go, it would be sensible to also cover in the privacy statement how long you intend to keep the data, and the types of rights people have in the law to control how their personal information is being used. Any profiling or automated decisions made about people should also be clear in the privacy statement.

4. Record Keeping

The GDPR requires data controllers to create and retain information in certain situations and also to provide specific information to data subjects, for example when responding to subject access requests. Your library should establish with the university’s Data Protection Officer what information, if any, you will need to keep in order that the university can comply with the law.

5. Time Sensitive Activities

The period with which a subject access request has to be responded to is reducing from forty days to one month. A data breach may need to be reported to the Information Commissioner’s Office within 72 hours and in certain cases to data subjects as well. Ensuring that the library is able to comply within these demanding time frames and liaise quickly with the university’s Data Protection Officer will be vitally important.

6. Transfers of Personal Data Particularly Beyond the EU

Access to and sharing of personal data is strictly regulated by Data Protection Law. People have the right to know exactly how their personal data is being used, and with whom it is shared. Data protection law also has particular rules regarding exporting personal data beyond the European Economic Area (EEA, the states of the EU plus Iceland, Norway, and Liechtenstein) so any activities, such as collaborative research projects or use of cloud-based services, that involve personal data travelling beyond the EEA will require additional checks and safeguards.

7. Training

An important principle in the GDPR is what is known as “privacy by design”. This means thinking about protecting people’s personal information should be at the forefront of what you do. In order for the university to show it is complying with this principle, as a minimum training should be given to staff. In terms of library staff, it will be important that they have a basic understanding of data protection law. For those involved in giving access to collections, it is also important that they are familiar with arguably three of the most relevant exemptions in the GDPR for libraries:

Archiving in the Public Interest (Art 89)

Scientific / Historical Research and Statistical Purposes (Art 89)

Freedom of Expression and Information (Art 85)

8. Legal Underpinning for Archiving

Data protection law, allows for certain activities to be undertaken that otherwise would not be legally possible. These are called “derogations” or “exemptions”.

In order that libraries can enjoy the wide exemptions that are given to organisations “archiving in the public interest” there must be a legal basis that puts obligations on them to undertake various activities relating to collecting, and disseminating the historical record. Recital 158 of the GDPR states (emphasis added):

Public authorities or public or private bodies that hold records of public interest should be services which, pursuant to Union or Member State law, have a legal obligation to acquire, preserve, appraise, arrange, describe, communicate, promote, disseminate and provide access to records of enduring value for general public interest.

Unlike some other European countries, the UK does not have a single Act of Parliament that creates such an obligation on organisations that hold historical records. Neither has the government thus far included this requirement in the Data Protection Bill. In order to enjoy this exemption, therefore, a cultural heritage institution will either have to look to an Act of Parliament that regulates their organisation, or towards documentation that creates a legal obligation in UK law. According to certain lawyers, this could include documentation that outlines your public task, or similar constitutional documents that regulate how your organisation is run.

It would therefore be advisable to establish what the legal basis is that allows your institution to “archive in the public interest”. If this is not clearly defined in statute, constitutional documentation that sets out the function and role of your organisation should be revisited and updated to create archival obligations on the library, archive or museum. In the event of a legal challenge around the exercise of this derogation, and in the absence of a statutory underpinning, clear constitutional documentation is likely to be your best defence as to the basis for exercising the archival exemptions provided for in the Act.

9. Understanding the Exemptions

Archiving in the Public Interest

This exemption enables the keeping of historical materials (published and unpublished) by removing the obligation to ensure personal data is accurate and kept up to date and by ensuring that material, irrespective of why it was first collected, can be retained for archival purposes. The obligation to inform people you are holding their personal data is also removed where this would not be practicable, as are the rights of individuals to have their data erased (“right to be forgotten”) or amended. Other rights, such as being able to prevent someone’s data being used by an organisation, the right to find out what data is being held on a person, and the right to have data transferred to another person or organisation, are also not relevant if asserting the archiving exemption.

Scientific / Historical Research and Statistical Purposes

These exemptions are closely linked to the archiving in the public interest exemption, and appear in the same Article. They allow research to be undertaken using personal information that was collected for a different purpose and relax the prohibitions around keeping personal data for as short a time as possible. The obligation to inform people you are holding their personal data is also removed where this would not be practicable, as are the rights to have your data amended, and to object to your data being used.

What “scientific” and “historical” actually mean have not been defined in the GDPR or the Bill, but perhaps thinking of science in the Latin sense, “scienta”, meaning knowledge, is something that our community should consider.

Freedom of Expression and Information

This exemption has been expanded from the similar exemption under the Data Protection Act 1998 to cover work of academics as well as journalists in undertaking research and publishing of information relating to a living person. The GDPR allows Member States to implement this provision relatively freely, and it is likely that oddities in the current draft of the Data Protection Bill will change. A couple of the anomalies currently seen in the draft include that an academic publishing materials using personal data would be subject to newspaper codes of practice. There is also currently a gap relating to the issue of legal underpinning of archiving activities as highlighted above. Whereas an academic or journalist may have the rights to use personal data as part of “freedom of expression” exemptions, the archive may not be able to supply the information, given the question marks over the lack of statute based legal underpinning for organisations archiving in the public domain.

10. Engagement with your Data Protection Officer

Data protection law can seem overwhelming and difficult to get to grips with. Luckily in a university you will have a DPO with whom you can consult and work with on GDPR implementation requirements. By engaging positively with them, you will not only be protecting the university from potential action by the Information Commissioner’s Office, you will be demonstrating to students, university employees as well as people further afield that the library is a responsible place that sensitively handles personal data and privacy. Reputationally this is likely to serve you well now and in the long run.

The law refers to personal data as something that can identify, either directly or in combination with other information a living individual – this includes opinions also. Examples include names, emails, library card numbers, medical and religious information etc. ↩

If you are not subject to FOI, you will need a Data Protection Officer if you are undertaking systematic monitoring of people on “a large scale”, or if using sensitive personal data / criminal conviction data on a “large scale.” “Large scale” is not defined but some people suggest that a hospital processing patient data would constitute large scale. ↩

This post is based on a talk our contributor Aude gave at the CILIP Conference on 6th July 2017, which was written-up for K & IM Refer: Journal of the Knowledge and Information Management Group (CILIP). This article has been published online (also on Aude’s own blog) as part of K & IM Refer Autumn 2017 issue.

All the technology around us – cameras, phones, our internet use, online communications, etc. – collects data about us. For example: most of us carry a smartphone around all the time. How many of us are fully aware that if the GPS is on, our phone company can pinpoint where we are with an accuracy of 5 to 8 meters? If the phone company knows, who may also have access to our location data? Are we comfortable with this situation? Would you change your behaviour and turn off your GPS when you don’t use it now you know this, or would you decide the convenience outweighs the disadvantages?

Privacy is about choice. As citizens, we need to be aware of this situation to be able to make informed decisions about whether we want to protect some of our data and how much effort we are ready to put into protecting our privacy. Once we have the facts we also need the skills: we need to know about tips and tools available to help us protect our information.

Libraries defend people’s rights

I believe that libraries exist to defend people’s right to enrich and improve their own lives, their environment and society. We library and information professionals make this happen by facilitating access to and the sharing of information, knowledge and culture.

In many sectors library and information professionals already devise and deliver digital skills training, ranging from a basic introduction to computers to searching online resources effectively. Knowing how to protect one’s privacy online is part of those digital literacy skills everyone should have; that’s why at Newcastle Libraries we have started looking into how we could best help our citizens.

Learning about privacy issues and tools

Our team’s awareness of privacy issues originally came from reading technology articles or from initiatives in libraries in other countries such as France or the USA. American librarians have created very useful materials that are a good place for us in the UK to start learning – I would particularly recommend the Library Freedom Project and the Data Privacy Project.

In Scotland the Scottish PEN has also been delivering “Libraries for privacy: digital security workshops” with support from CILIP Scotland and the Scottish Library and Information Council. I was able to attend one of those workshops, which inspired me to create a short training session for colleagues at Newcastle Libraries. I initially ran two sessions for librarians and senior managers in March 2017, and will be rolling it out to as many staff as possible this autumn. The first two sessions included time for us to discuss and decide what we wanted to do in our service regarding online privacy.

Initiatives for citizens

We wanted to offer information and training about protecting one’s privacy online to local citizens. In 2016 we had already co-organised two cryptoparties; we decided we should host some more. A cryptoparty is an informal gathering of individuals to discuss and learn about tips and tools for privacy and security in our digital world. We co-organised ours with local members of the Open Rights Group who have the relevant technological knowledge that we might lack (!) – in partnership with the same individuals, our next cryptoparty will take place in November.

We have also noticed that cryptoparties tend to attract citizens who are already aware of privacy issues. How do we reach out to those who do not (yet) have that awareness? It is something that we are still exploring. One idea we want to implement is to include privacy among the topics covered in our digital skills sessions, but we are also trying to find other ways to, in a way, talk about privacy in a skills session without first telling people that we are.

Standing up for citizens’ privacy

With Newcastle Libraries colleagues we felt that we could not be teaching citizens about tools to protect their privacy on the Internet and yet say: “By the way, this does not apply when you are using library computers or services”! We want to offer our computer users an Internet browser with enhanced privacy features – ideally, this would be Firefox with DuckDuckGo as the default search engine plus add-ons such as HTTPS Everywhere and Privacy Badger. I would love for us to offer Tor Browser or even for the library to be a Tor relay; however, I thought asking first for Firefox would be a lot less controversial… We are in conversation with our IT department; they have objections but these are about the practicalities of applying updates to the Firefox browser, which they cannot manage centrally like they currently do for Internet Explorer and Google Chrome.

An easier thing we can and will do is to be more transparent to citizens about how their information is handled when they use Newcastle Libraries services. When you use a library computer, you should be aware that our IT department records which websites you visit and that this information is kept for 12 months. When you use our e-books platform, we should tell you before you login what our supplier does with your data. It may take some time but it is relatively easy for us to add this kind of information on our website and other materials.

Oncewe start with this work we can review what we record – should we really be keeping your browsing history for this long? What is it used for; are we legally obliged to do so? Regarding third-party providers of library services, we should be requesting that they take steps to protect your data to our standards.

In truth, what we need is a privacy policy –the American Library Association Office for Intellectual Freedom has some fantastic information and templates adapted to the US context but that still gives us some useful pointers. Privacy terms and policies is a bigger piece of work but it is one we can build one chapter at a time, in order to support citizens with protecting their privacy online.

CHIPA responded in May 2017 to the Department for Digital Culture, Media and Sport (DCMS) call for views on implementing derogations under the General Data Protection Regulation (GDPR) and the upcoming Data Protection Bill.

Ensure that archives and the historical record are protected from interference by implementing the widest freedom of expression exemptions possible, in particular to ensure archives with collections of a political, audiovisual and newspaper nature are able to protect and share the historical record;

We have written to Matt Hancock MP, Minister of State for Digital, regarding the implementation of the General Data Protection Regulation (GDPR) and the upcoming Data Protection Bill. These are directly pertinent to the activities of cultural heritage institutions.

Fiona Hyslop MSP and Vaughan Gething AM are copied into the letter in consideration of devolved cultural policy in Scotland and Wales.

Implementation of the General Data Protection Regulation

Dear Matt Hancock,

We are writing with respect to the UK implementation of the General Data Protection Regulation (GDPR) and the upcoming Data Protection Bill. The subject matter of these are directly pertinent to the activities and roles of cultural heritage institutions.

Cultural heritage institutions, including museums, galleries, archives, and libraries, both public and private, play a vital role in promoting research and intellectual freedom in the UK, while supporting and protecting freedom of expression and privacy. Cultural organisations are essential sources of information and are responsible for safeguarding and enabling access to collections of social, political, historical, and scientific significance.

To protect the role of cultural heritage institutions and their stakeholders and users, believe the following should be enabled in the upcoming Data Protection Bill:

Clear legal foundations should be set out for the activities of ‘archiving in the public interest’ (in accordance with Recital 158 GDPR), which are essential in order to ensure that institutions that undertake archiving activities in the public interest are legally able to do so under the GDPR and in turn are able to benefit from public interest archiving exemptions (including those implemented through Article 89 GDPR). These foundations should apply both to public and private organisations in respect of archiving activities that are carried out ‘in the public interest’. Without this we believe implementation of Article 89 exemptions may be academic as organisations may not have the underpinning required by the GDPR in order to enjoy them.

Ensure that derogations for research activities (Article 89 GDPR) are implemented in a wide and clear manner so as to provide protection to the socially, politically, and economically vital research activities of cultural heritage institutions and users of their collections. In particular, the derogations should be aligned to the safeguards set out in Article 89(1) GDPR and avoid transposition of the unclear requirements of s.33 Data Protection Act 1998 (DPA) . Our view is that s.33 DPA places unclear, unenforceable, and unnecessary limitations on research activities in the form of the ban on processing personal data ‘to support measures or decisions with respect to particular individuals’.

The Bill should clarify that certain data controllers, in particular public cultural heritage institutions, may process personal data on the basis of any valid legal ground (under Article 6 GDPR). The GDPR states that public bodies may not process personal data on the grounds of ‘legitimate interests’ in respect of their public tasks. However, certain public bodies, including many cultural institutions such as museums and libraries, undertake other tasks that are beyond their public interest tasks (for example, running a shop or cafe). In respect of such further tasks, public cultural heritage institutions should not be precluded from relying on the legitimate interests grounds for processing personal data where there is no other legal basis for using personal data.

Freedom of expression and information derogations (Article 85 GDPR) should include the activities of cultural heritage institutions. Data protection law must not be able to suppress access to archival and cultural collections, in particular those of a political or other public interest nature. A lack of strong protection under these derogations could inflict damage on the sector’s ability to support and advance freedom of expression. It would also leave unclear the interplay between authors and journalists who can benefit from these exemptions, and cultural heritage institutions that provide the materials to them, which would be excluded.

The understanding of what constitutes ‘research’ under the GDPR should be interpreted widely. The use of data for all research activities that are undertaken legitimately and without harm to the rights and freedoms of data subjects should not be curtailed. In particular, the understanding of research should incorporate both commercial and non-commercial research activities that are legitimate and that properly protect subjects’ rights and freedoms.